WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Web Invoice <= 2.1.3 - Authenticated SQLi

Description

The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL Injection exploitable by high privilege users such as admin by default. However, depending on the plugin configuration, other users, such as subscriber could exploit this as well

Proof of Concept

When logged in with a user allowed to Manage invoice (default admin but can be changed via the plugin's settings), open the following URL

https://example.com/wp-admin/admin.php?page=new_web_invoice&invoice_id=31618572+AND+(SELECT+5926+FROM+(SELECT(SLEEP(5)))erUA)&web_invoice_action=clear_log

Affects Plugins

web-invoice
No known fix - plugin closed

References

CVE
CVE-2022-4371
URL
https://bulletin.iese.de/post/web-invoice_2-1-3_1

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

Daniel Krohmer, Kunal Sharma

Submitter

Daniel Krohmer

Submitter website
https://www.iese.fraunhofer.de/en.html
Verified

Yes

WPVDB ID
45f43359-98c2-4447-b51b-2d466bad8261

Timeline

Publicly Published

2022-12-12 (about 5 months ago)

Added

2022-12-12 (about 5 months ago)

Last Updated

2022-12-12 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin